mourner
commented
4 years ago This was fixed in #9425.
Closed daveisfera closed 4 years ago
mourner
commented
4 years ago This was fixed in #9425.
daveisfera
commented
4 years ago That's not currently available in a stable version
mourner
commented
4 years ago v1.9.0 will be released tomorrow; meanwhile, you can use the beta version if that security warning concerns you. It doesn't actually affect GL JS in any way since it's not used by it directly, only for some minor tools for the style specification.
FabianKoestring
commented
4 years ago v1.9.0 will be released tomorrow; meanwhile, you can use the beta version if that security warning concerns you. It doesn't actually affect GL JS in any way since it's not used by it directly, only for some minor tools for the style specification.
When will v1.9.* be released?
mourner
commented
4 years ago @FabianKoestring there was a minor delay after discovering a regression, but it should be up today hopefully.
GUI
commented
4 years ago Just a heads up that this is not resolved in the new v1.9.0 release (since it sounds like that was maybe expected). Version 1.9.0 still has the minimist version pinned to 0.0.8: https://github.com/mapbox/mapbox-gl-js/blob/v1.9.0/package.json#L30
As an additional note, once v1.9.1 ships (or which ever version includes the update), currently mapbox-gl would still introduce a nested dependency on a vulnerable minimist version due to the @mapbox/geojson-rewind > sharkdown > minimist dependencies. See https://github.com/mapbox/geojson-rewind/issues/27.
I understand this security issue may not really affect mapbox-gl's browser usage, but it might still be nice if this were addressed to cut down on automated security alerts generated by various tools. Here's the current results of yarn audit when run against the newest versions of mapbox-gl (v1.9.0) and @mapbox/geojson-rewind (v0.4.1):
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mapbox-gl > @mapbox/geojson-rewind > sharkdown > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mapbox-gl > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
ryanhamley
commented
4 years ago Sorry, there was a miscommunication earlier. This fix was merged after we'd cut the beta branch for 1.9.0 so it did not make it into the release. This doesn't seem urgent enough to necessitate a patch release, especially if the offending version of minimist is still included through a dependency chain so I assume this will go out in 1.10.0 next month.
As for the dependency using minimist, that's not something we'll be able to directly control. We've updated minimist in GL JS and the direct dependency in geojson-rewind. Someone will need to submit a PR to sharkdown to update their dependency on minimist then when they release a new version, it should start to be installed along with geojson-rewind . See
https://github.com/tmcw-up-for-adoption/sharkdown/blob/407983bcb7a8acf36a7d6ae3d5ad2ed65799e1a8/package.json#L14
mourner
commented
4 years ago @ryanhamley let me deal with geojson-rewind subdeps, it's long overdue for a cleanup.
GagandeepKaur
commented
4 years ago I faced similar audit warnings as mentioned earlier by @GUI . So, this issue is expected to be fixed in 1.10.0 release in April month? Pls, confirm some tentative date. Mapbox-gl is the only package whose audit failures need to be fixed in my project. So, I am waiting for it to fix its vulnerabilities to have a clean npm audit report.
Thanks Team.
ryanhamley
commented
4 years ago @GagandeepKaur 1.10 is planned to be a significant release so our timeline with it is more tentative than usual. that said, we expect to cut a beta release next week with an eye towards a full release two weeks later. we've built in an extra week of testing for some larger improvements so if we find bugs, it's always possible the release could be pushed slightly, but we expect to have 1.10 out this month
vinayakkulkarni
commented
4 years ago === npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @mapbox/geojson-extent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @mapbox/geojson-extent > @mapbox/geojson-coords > │
│ │ geojson-flatten > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @mapbox/mapbox-gl-draw │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @mapbox/mapbox-gl-draw > @mapbox/geojson-extent > │
│ │ @mapbox/geojson-coords > geojson-flatten > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl-draw-circle │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mapbox-gl-draw-circle > @mapbox/mapbox-gl-draw > │
│ │ @mapbox/geojson-extent > @mapbox/geojson-coords > │
│ │ geojson-flatten > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @mapbox/mapbox-gl-draw │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @mapbox/mapbox-gl-draw > @mapbox/geojsonhint > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl-draw-circle │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mapbox-gl-draw-circle > @mapbox/mapbox-gl-draw > │
│ │ @mapbox/geojsonhint > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mapbox-gl > @mapbox/geojson-rewind > sharkdown > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mapbox-gl > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
karimnaaji
commented
4 years ago Sorry for reopening, we thought this was not addressed for production dependencies, yarn audit reports issues only for dev ones, closing back. This will be available in 1.10.
karimnaaji
commented
4 years ago Available as of yesterday in our beta release: https://www.npmjs.com/package/mapbox-gl/v/1.10.0-beta.1.
Currently used versions of
minimistin stable versions has a security vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598